000036891 - Listing the contents of the RSA Authentication Manager Java KeyStore (JKS) files

Document created by RSA Customer Support Employee on Nov 14, 2018Last modified by RSA Customer Support Employee on Nov 14, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036891
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2.0 or later
Platform: Linux
 
IssueFor troubling certificate issues with an Authentication Manager deployment.
ResolutionThis knowledge article provides a Linux shell script which can be executed on any Authentication Manager instance in a deployment to list the contents of the JKS files found in /opt/rsa/am/server/security. 
 

The Linux shell script must be executed with root privileges and requires the Operations Console username and password.



Installation



  1. Download and copy the attached AMJKSlist.sh shell script into /tmp on the Authentication Manager instance in the deployment. Review the article on how to enable Secure Shell on the Appliance, if needed. Where SSH has been enabled, a secure FTP client, such as WinSCP can be used to copy the shell script into /tmp.
  2. Change the permissions of the AMJKSlist.sh shell script so it can be executed at the command line:


chmod 755 /tmp/AMJKSlist.sh


Usage



  1. Logon to the Authentication Manager instance with the rsaadmin account, either in an SSH session or at the local console.

Note that during Quick Setup a user name other than rsaadmin may have been selected. Use that user name to login.



  1. Change the privileges of the rsaadmin account using the command:


sudo su -


Note that if you do not change the privileges of the rsaadmin account the following messages appears:



You must be the root user to use this program; exiting...


  1. Navigate to /tmp:


cd /tmp


  1. The shell script can be executed in one of two ways, as Operations Console user credentials are required.


cd /tmp
./AMJKSlist.sh <Operations Console administrator name> <Operations Console administrator password>
Checking OC credentails..
OC credentials validated... redirecting to menu..


or




cd /tmp
./AMJKSlist.sh

Checking OC credentials....missing OC credentials!
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>

OC credentials validated... redirecting to menu..



  1. The shell script menu displays:


RSA Customer Support (Asia Pacific)

Listing Authentication Manager Java KeyStore Contents

1) Display JKS Passwords
2) Generate a Report - JKS Contents
9) Exit

Please select an option



Display JKS Passwords



Option 1 will display the passwords required to open the Authentication Manager Java KeyStore files.  For example:




RSA Customer Support (Asia Pacific)

Listing Authentication Manager Java KeyStore Contents

1) Display JKS Passwords
2) Generate a Report - JKS Contents
9) Exit

Please select an option
1
Obtaining the JKS passwords..

SSL Client Identity Certificate Keystore File Password : CghsVPZIqimVOh7VTnf3LYbyoZ156H
SSL Server Identity Certificate Keystore File Password : lfN25RuibhUMUPToxfwir2eyFy066e
Root Certificate Keystore File Password : hWjA09JSGwRAxhh3UGydXcdLJ63Iw1
SSL Trust Store File Password : PmUzMsNOBP7UGcLhuELpfMAyb9h2fU

done!

Press any key to continue...


Generate a Report - JKS Contents



Option 2 will generate a report and list the contents of the Java KeyStore files.  For example:



RSA Customer Support (Asia Pacific)

Listing Authentication Manager Java Ketstore Contents

1) Display JKS Passwords
2) Generate a Report - JKS Contents
9) Exit

Please select an option
2
Obtaining the JKS passwords..done!
Generating the report..
Listing contents of /opt/rsa/am/server/security/DemoIdentity.jks to file..
Listing contents of /opt/rsa/am/server/security/biztier-identity.jks to file..
Listing contents of /opt/rsa/am/server/security/caStore.jks to file..
Listing contents of /opt/rsa/am/server/security/console-identity.jks to file..
Listing contents of /opt/rsa/am/server/security/trust.jks to file..
Listing contents of /opt/rsa/am/server/security/vh-identity.jks to file..
Listing contents of /opt/rsa/am/server/security/vh-inactive.jks to file..
Listing contents of /opt/rsa/am/server/security/webserver-identity.jks to file..
Listing contents of /opt/rsa/am/server/security/webserver-inactive.jks to file..
Listing contents of /opt/rsa/am/server/security/webtier-identity-webtier01.jks to file..
done!

Report filename : /tmp/AMJKS-report_201810301412.log

Press any key to continue...


Exit



Option 9 will leave the program.  For example:




RSA Customer Support (Asia Pacific)

Listing Authentication Manager Java Ketstore Contents

1) Display JKS Passwords
2) Generate a Report - JKS Contents
9) Exit

Please select an option
9
Bye!


 



Example Report




RSA Customer Support (Asia Pacific) (1412-30102018)

Listing Authentication Manager Java KeyStore Contents

Authentication Manager JKS Filename : /opt/rsa/am/server/security/DemoIdentity.jks

Authentication Manager JKS Filename : /opt/rsa/am/server/security/biztier-identity.jks


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

Alias name: server_identity_key_webserver
Creation date: Oct 24, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: SERIALNUMBER=19a5d1309aa75cf8691381cb6a280aa3ca2be80fa83787e205756d77716f9f2b, CN=app82p.csau.ap.rsa.net
Issuer: SERIALNUMBER=ca8b90357e5c73bc759f681735c258e96efbb72f50814403ffd0261e5dc700d3, CN=RSA root CA for app82p.csau.ap.rsa.net
Serial number: 59238e1417ac4b9cfd2a7dd9193b9ece
Valid from: Tue Oct 23 13:46:47 AEDT 2018 until: Thu Jan 01 00:00:00 AEDT 2037
Certificate fingerprints:
         MD5:  88:47:12:51:EA:4C:11:73:68:C1:27:0F:6A:1D:12:6B
         SHA1: EE:6E:36:31:CB:F9:8E:D0:49:71:22:DF:2A:8A:16:71:06:4E:D6:83
         SHA256: 6F:2B:49:98:D9:EC:7F:AC:F2:B4:B0:7B:C9:66:A3:35:97:D6:42:37:42:EC:6B:93:A5:B0:1B:D6:28:50:14:E9
         Signature algorithm name: SHA256withRSA
         Version: 3
Certificate[2]:
Owner: SERIALNUMBER=ca8b90357e5c73bc759f681735c258e96efbb72f50814403ffd0261e5dc700d3, CN=RSA root CA for app82p.csau.ap.rsa.net
Issuer: SERIALNUMBER=ca8b90357e5c73bc759f681735c258e96efbb72f50814403ffd0261e5dc700d3, CN=RSA root CA for app82p.csau.ap.rsa.net
Serial number: 4df353521ef573fd66bdc41bd67240c2
Valid from: Tue Oct 23 13:46:46 AEDT 2018 until: Thu Jan 01 00:00:00 AEDT 2037
Certificate fingerprints:
         MD5:  2B:D2:89:B6:C8:AF:6E:DE:AB:F3:68:F0:C6:68:11:79
         SHA1: E9:61:17:A2:E2:6A:D0:18:0D:2F:C2:6E:8E:C4:EF:56:F6:0A:40:47
         SHA256: 4D:E9:10:D3:D1:51:49:16:C0:36:D1:52:2F:D5:02:A6:8E:7D:9E:E9:60:AD:08:C8:21:0E:6E:64:E0:D8:B6:67
         Signature algorithm name: SHA256withRSA
         Version: 3


*******************************************
*******************************************

...
...
...

Attachments

Outcomes